Under the EU law, GDPR or General Data Protection Regulation helps ensure privacy and data protection to all individuals residing in the European Union. GDPR replaces the Data Protection Directive 95/ 46/ EC and focuses on safeguarding the privacy and interests of users in the EU. Therefore, if you have any user from the EU accessing your product or services, you need to comply with GDPR. Regardless of whether your business operates out of EU, GDPR applies to you if you are tracking user activities on your website and app (for the purpose of marketing or personalization) or capturing any Personally Identifiable Information such as name, email address, IP address, cookie, and location. Let us take a look at the compliance requirements of GDPR.
What Are The Guiding Principles for GDPR?
Overall, GDPR emphasizes on the following attributes –
Right To Data Collection
This part addresses whether your business has the right to collect and process user data and personal information.
Right to Data Processing
This part addresses the way user data is handled.
Right to Data Collection
As a website owner, you can collect and process user’s personal data provided that you have the ‘lawful basis’ to justify the same. Accordingly, having lawful basis gives will give you the rights to process user data under the following scenarios:
By definition, a consent is an affirmative action completed by the user that allows the businesses to capture their personal data. The EU law is very specific about this and stipulates that every user consent has to be a clear affirmative action. Therefore, you cannot have pre-checked checkboxes in the notifications when asking for consent.
Furthermore, consent must be given freely and not enforced or incentivized. Users must be specifically informed and made aware of the exact reasons they are going to share their information for. Furthermore, businesses must ask for user consent in an unambiguous, documented and easily withdrawable consent form. To incorporate the latest changes introduced by GDPR, you will also need to ask your existing subscribers to re-opt for your services.
2. Contractual Obligation
Contractual obligation is when any contract between the businesses and the users requires processing of user’s personal data. For example, if a user opts to purchase an insurance policy, the service provider must require the user to provide his or her personal information.
3. Legal obligation
In case, any business is bound by a legal obligation, it is allowed to collect and process personal data. For example, asking users to provide their social security number while opening up a new savings account is a legal obligation, and therefore, is allowed.
4. Vital interest
Businesses can collect personal data if it is the vital interest of the user, For example, getting information about an individual’s previous health records is essential for providing medical prescriptions or health advice.
5. Legitimate Interest
Legitimate interests of the users could be one of the reasons that allow businesses to collect their personal information, although the definition of legitimate interest is open to interpretation. Some of the examples of legitimate interest include processing data for direct marketing, fraud detection, internal compliance requirements such as payroll.
6. Public task
Businesses can also justify processing of data if it is necessary for a task performed in the public interest. This basis can allow government authorities or local entities to process personal data of individuals.
Right to Data Processing
Data processing comprises all activities or operations that are performed on user’s personal information and includes data access, collection, transfer, modification, usage, and storage. As a business owner, therefore, you need to make sure that all data operations follow secure protocols and the policies for data retention are clearly outlined.
Furthermore, users must be able to access, export, modify and delete their own data. If your website has an identifier for the users, the tool must provide you with a set of APIs or an interface to perform these operations.